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AMENDMENTS TO THE CLAIMS) 
Please amend Claims 1-9 and 13-15 as follows.| 

1 . (Currently amended) A safety verification device of an electronic reactive system such 
as which is a cipher communication system or control system for a nuclear reactor or aircraft, 
represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set of first 
terms, and a selected set of second terms to be verified, said set of axioms being a set consisting 
only a commutative law and an associative law, and said safety verification device of a reactive 
system comprising a processing unit, a recording unit, a translation unit, a simulation unit and a 
set operation unit, wherein: 

said set of function symbols, said set of rewriting rules, said set of axioms, said set of first 
terms, and said s e l e ct e d set of second terms to be verified are recorded in said recording unit; 

said translation unit is controlled by said processing unit to read out said set of axioms 
and said set of first terms from said recording unit and to generate , under said set of axioms, a 
first equational tree automaton which accepts said set of first terms; 

said simulation unit is controlled by said processing unit to read out said set of rewriting 
rules, said set of axioms and said set of first terms from said recording unit and to generate, under 
said set of rewriting rules and said set of axioms and using said first equational tree automaton as 
initial data, a second equational tree automaton which accepts said set of first terms and a set that 
comprises terms derived from said set of first terms; 

said set operation unit is controlled by said processing unit to generate, using said second 
equational tree automaton and said select e d set of second terms to be verified, a fourth equational 
tree automaton by associating said second equational tree automaton with a third equational tree 
automaton which accepts said selected set of second terms to be verified and to determine 
whether or not a set accepted by the fourth equational tree automaton is an empty set; 

said second equational tree automaton is generated through first and second repetition 
processes; 

wherein said first repetition process comprises: 

(A) setting said first equational tree automaton to initial data; 
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(B) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of third terms by rewriting all terms which are included in a 
fifth equational tree automaton obtained in a last process performed according to the rewriting 
rule f(c p l ti,...,c pn t n) --> c p i| p , wherein a function symbol of said element p is described as f, 
argument terms are described as ti,...,t n , and a term Ijp Up corresponding to said element p is 
described as f(ti,...,t n ); 

(D) obtaining a sixth equational tree automaton by performing repeatedly said (B) 
selecting and (C) determining processes regarding all elements p positioned at the ends of said 
tree-structure of said first group; and 

wherein said second r e peat e d repetition process comprises: 

(E) setting said sixth equational tree automaton to initial data; 

(F) selecting an element q from a second group which consists of position 
information in a tree-structure when right sides of equations, each of said equations 
corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

(G) determining a set of fourth terms by rewriting all terms which are included in 
a seventh equational tree automaton obtained in a last process performed according to the 
rewriting rule f(d q 1 t i,...,d q n tn ) --> d q r | q , wherein a function symbol of said element q is described 
as f, argument terms are described as ti,...,t„, and a term %r|q corresponding to said element q is 
described as f(ti,...,t n ); and 

(H) obtaining said second equational tree automaton by performing repeatedly 
said (F) selecting and (G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said second group. 



2. (Currently amended) A safety verification device of an electronic reactive system, 
such as which is a cipher communication system or control system for a nuclear reactor or 
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aircraft, represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set of 
first terms, and a selected second term to be verified, said set of axioms being a set consisting 
only a commutative law and an associative law, and said safety verification device of a reactive 
system comprising a processing unit, a recording unit, a translation unit, a simulation unit and a 
set operation unit, wherein; 

said set of function symbols, said set of rewriting rules, said set of axioms, said set of first 
terms, and said s e l e ct e d second term to be verified are recorded in said recording unit; 

said translation unit is controlled by said processing unit to read out said set of axioms 
and said set of first terms from said recording unit and to generate , under said set of axioms, a 
first equational tree automaton which accepts said set of first terms; 

said simulation unit is controlled by said processing unit to read out said set of rewriting 
rules, said set of axioms and said set of first terms from said recording unit and to generate, under 
said set of rewriting rules and said set of axioms and using said first equational tree automaton as 
initial data, a second equational tree automaton which accepts said set of first terms and a set that 
comprises terms derived from said set of first terms; 

said set operation unit is controlled by said processing unit to determine whether or not 
said second equational tree automaton accepts said sel e ct e d second term to be verified; 

said second equational tree automaton is generated through first and second repetition 
processes; 

wherein said first repetition process comprises: 

(A) setting said first equational tree automaton to initial data; 

(B) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of third terms by rewriting all terms which are included in a 
fifth third equational tree automaton obtained in a last process performed according to the 
rewriting rule f(c p " , t i,...,c p n tn ) --> c p i| P , wherein a function symbol of said element p is described 
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as f, argument terms are described as ti,...,t n , and a term ^ ljp corresponding to said element p is 
described as f(ti,...,t n ); 

(D) obtaining a sixth fourth equational tree automaton by performing repeatedly 
said (B) selecting and (C) determining processes regarding all elements p positioned at the ends 
of said tree-structure of said first group; and 

wherein said second repeated repetition process comprises: 

(E) setting said sixth fourth equational tree automaton to initial data; 

(F) selecting an element q from a second group which consists of position 
information in a tree-structure when right sides of equations, each of said equations 
corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

(G) determining a set of fourth terms by rewriting all terms which are included in 
a seventh fifth equational tree automaton obtained in a last process performed according to the 
rewriting rule f(d q 1 ti,...,d q n tn ) --> d q r | q , wherein a function symbol of said element q is described 
as f, argument terms are described as ti,...,t n , and a term %r|q corresponding to said element q is 
described as f(ti,...,t n ); and 

(H) obtaining said second equational tree automaton by performing repeatedly 
said (F) selecting and (G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said second group. 

3. (Currently amended) A safety verification device of a reactive system according to 
claim 1 , wherein said set of function symbols is a set comprising function symbols representing 
encryption, decryption and communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 
encrypted information is returned to plaintext by decryption, 

said selected second terms to be verified is are confidential information, and 

said set of first terms is a set of knowledge of each of subjects that exchange confidential 
information, and a set of knowledge of a subject that monitors the information exchanged 
between said subjects. 
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4. (Currently amended) A safety verification method of an electronic reactive system 
such as , which is a cipher communication system or control system for a nuclear reactor or 
aircraft, represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set of 
first terms, and a s e l e ct e d set of second terms to be verified, said set of axioms being a set 
consisting only a commutative law and an associative law, said method being executed by a 
computer comprising a processing unit and a recording unit, and said method comprising: 

a first step in which said processing unit reads out said set of axioms and said set of first 
terms from said recording unit and generates , under said set of axioms, a first equational tree 
automaton which accepts said set of first terms; 

a second step in which said processing unit reads out said set of rewriting rules, said set 
of axioms and said set of first terms from said recording unit and generates, under said set of 
rewriting rules and said set of axioms and using said first equational tree automaton as initial 
data, a second equational tree automaton which accepts said set of first terms and a set that 
comprises terms derived from said set of first terms; and 

a third step in which said processing unit generates , using said second equational tree 
automaton and said s e l e ct e d set of second terms to be verified, a fourth equational tree automaton 
by associating said second equational tree automaton with a third equational tree automaton 
which accepts said s e l e ct e d set of second terms to be verified and said processing unit determines 
whether or not a set accepted by the fourth equational tree automaton is an empty set, wherein 
said second step comprises first and second repetition processes; 

wherein said first repetition process comprises: 

(A) setting said first equational tree automaton to initial data; 

(B) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of third terms by rewriting all terms which are included in a 
fifth equational tree automaton obtained in a last process performed according to the rewriting 
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rule f(c p l ti,...,c pn tn ) — > c p i| p , wherein a function symbol of said element p is described as f, 
argument terms are described as ti,...,t„, and a term l|p 1_Le corresponding to said element p is 
described as f(ti,...,t n ); 

(D) obtaining a sixth equational tree automaton by performing repeatedly said (B) 
selecting and (C) determining processes regarding all elements p positioned at the ends of said 
tree-structure of said first group; and 

wherein said second repeated repetition process comprises: 

(E) setting said sixth equational tree automaton to initial data; 

(F) selecting an element q from a second group which consists of position 
information in a tree-structure when right sides of equations, each of said equations 
corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

(G) determining a set of fourth terms by rewriting all terms which are included in 
a seventh equational tree automaton obtained in a last process performed according to the 
rewriting rule f(d ql t i,...,d qn tn ) --> d q r | q , wherein a function symbol of said element q is described 
as f, argument terms are described as ti,...,t„, and a term r-jprjq corresponding to said element q is 
described as f(ti,...,t„); and 

(H) obtaining said second equational tree automaton by performing repeatedly 
said (F) selecting and (G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said second group. 

5. (Currently amended) A safety verification method of an electronic reactive system 
such as , which is a cipher communication system or control system for a nuclear reactor or 
aircraft, represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set of 
first terms, and a s e lected second term to be verified, said set of axioms being a set consisting 
only a commutative law and an associative law, said method being executed by a computer 
comprising a processing unit and a recording unit, and said method comprising: 
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a first step in which said processing unit reads out said set of axioms and said set of first 
terms from said recording unit and generates-, under said set of axioms, a first equational tree 
automaton which accepts said set of first terms; 

a second step in which said processing unit reads out said set of rewriting rules, said set 
of axioms and said set of first terms from said recording unit and generates, under said set of 
rewriting rules and said set of axioms and using said first equational tree automaton as initial 
data, a second equational tree automaton which accepts said set of first terms and a set that 
comprises terms derived from said set of first terms; and 

a third step in which said processing unit determines whether or not said second 
equational tree automaton accepts said selected second term to be verified, wherein said second 
step comprises first and second repetition processes; 

wherein said first repetition process comprises: 

(A) setting said first equational tree automaton to initial data; 

(B) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of third terms by rewriting all terms which are included in a 
fifth third equational tree automaton obtained in a last process performed according to the 
rewriting rule f(c p l t i,...,c p n tn ) --> c p i| p , wherein a function symbol of said element p is described 
as f, argument terms are described as ti,...,t n , and a term Up corresponding to said element p is 
described as f(ti,...,t n ); 

(D) obtaining a sixth fourth equational tree automaton by performing repeatedly 
said (B) selecting and (C) determining processes regarding all elements p positioned at the ends 
of said tree-structure of said first group; and 

wherein said second r e peated repetition process comprises: 

(E) setting said six* fourth equational tree automaton to initial data; 

(F) selecting an element q from a second group which consists of position 
information in a tree-structure when right sides of equations, each of said equations 
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corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

(G) determining a set of fourth terms by rewriting all terms which are included in 
a seventh fifth equational tree automaton obtained in a last process performed according to the 
rewriting rule f(d ql t i,...,d q ' n t n ) -> d q r | q , wherein a function symbol of said element q is described 
as f, argument terms are described as ti,...,t n , and a term %rjq corresponding to said element q is 
described as f(ti,...,t„); and 

(H) obtaining said second equational tree automaton by performing repeatedly 
said (F) selecting and (G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said second group. 

6. (Currently amended) A safety verification method of a reactive system according to 
claim 4, wherein said set of function symbols is a set comprising function symbols representing 
encryption, decryption and communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 

encrypted information is returned to plaintext by decryption, 

said s e l e ct e d second terms to be verified is are confidential information, and 

said set of first terms is a set of knowledge of each of subjects that exchange confidential 

information, and a set of knowledge of a subject that monitors the information exchanged 

between said subjects. 

7. (Currently amended) A computer-readable recording medium containing a reactive 
system safety verification computer program, said reactive system being an electronic system 
such as , which is a cipher communication system or control system for a nuclear reactor or 
aircraft, said computer program being executed by a computer comprising a processing unit and a 
recording unit, and said computer program comprising: 

a first program code which makes said processing unit to accept an input of a procedure 
represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set of first 
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terms, and a sel e ct e d set of second terms to be verified and to record said procedure in said 
recording unit; 

a second program code which makes said processing unit to read out said set of axioms 
and said set of first terms from said recording unit and to generate, under said set of axioms 
consisting only of a commutative law and an associative law, a first equational tree automaton 
which accepts said set of first terms; 

a third program code which makes said processing unit to read out said set of rewriting 
rules, said set of axioms and said set of first terms from said recording unit and to generate, under 
said set of rewriting rules and said set of axioms and using said first equational tree automaton as 
initial data, a second equational tree automaton which accepts said set of first terms and a set 
that comprises terms derived from said set of first terms; and 

a fourth program code which makes said processing unit to generate , using said second 
equational tree automaton and said select e d set of second terms to be verified, a fourth equational 
tree automaton by associating said second equational tree automaton with a third equational tree 
automaton which accepts said selected set of second terms to be verified and to determine 
whether or not a set accepted by the fourth equational tree automaton is an empty set, wherein 
said second program code makes said processing unit to execute first and second repetition 
processes; 

wherein said first repetition process comprises: 

(A) setting said first equational tree automaton to initial data; 

(B) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of third terms by rewriting all terms which are included in a 
fifth equational tree automaton obtained in a last process performed according to the rewriting 
rule f(c p l ti,...,c pn tn) --> c p i| P , wherein a function symbol of said element p is described as f, 
argument terms are described as ti,...,t n , and a term l|p JJp corresponding to said element p is 
described as f(ti,...,t n ); 
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(D) obtaining a sixth equational tree automaton by performing repeatedly said (B) 
selecting and (C) determining processes regarding all elements p positioned at the ends of said 
tree-structure of said first group; and 

wherein said second r e peat e d repetition process comprises: 

(E) setting said sixth equational tree automaton to initial data; 

(F) selecting an element q from a second group which consists of position 
information in a tree-structure when right sides of equations, each of said equations 
corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

(G) determining a set of fourth terms by rewriting all terms which are included in 
a seventh equational tree automaton obtained in a last process performed according to the 
rewriting rule f(d ql t i,...,d qn tn ) --> d q r | q , wherein a function symbol of said element q is described 
as f, argument terms are described as ti,...,t n , and a term %rjq corresponding to said element q is 
described as f(ti,...,t n ); and 

(H) obtaining said second equational tree automaton by performing repeatedly 
said (F) selecting and (G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said second group. 

8. (Currently amended) A computer-readable recording medium containing a reactive 
system safety verification computer program, said reactive system being an electronic system 
such as , which is a cipher communication system or control system for a nuclear reactor or 
aircraft, said computer program being executed by a computer comprising a processing unit and a 
recording unit, and said computer program comprising: 

a first program code which makes said processing unit to accept an input of a procedure 
represented by a set of function symbols, a set of rewriting rules, a set of axioms, a set of first 
terms, and a selected second term to be verified and to record said procedure in said recording 
unit; 

a second program code which makes said processing unit to read out said set of axioms 
and said set of first terms from said recording unit and to generate , under said set of axioms 
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consisting only of a commutative law and an associative law, a first equational tree automaton 
which accepts said set of first terms; 

a third program code which makes said processing unit to read out said set of rewriting 
rules, said set of axioms and said set of first terms from said recording unit and to generate, under 
said set of rewriting rules and said set of axioms and using said first equational tree automaton as 
initial data, a second equational tree automaton which accepts said set of first terms and a set that 
comprises terms derived from said set of first terms; and 

a fourth program code which makes said processing unit to determine whether or not said 
second equational tree automaton accepts said selected second term to be verified, wherein said 
second program code makes said processing unit to execute first and second repetition processes; 

wherein said first repetition process comprises: 

(A) setting said first equational tree automaton to initial data; 

(B) selecting an element p from a first group which consists of position 
information in a tree-structure when left sides of equations, each of said equations corresponding 
to a rewriting rule in said set of rewriting rules, are described in tree-structure, wherein said 
element p is positioned at the end of said tree-structure; 

(C) determining a set of third terms by rewriting all terms which are included in a 
figft third equational tree automaton obtained in a last process performed according to the 
rewriting rule f(c p l t i,...,c p ' n t n ) ~> c p i| p , wherein a function symbol of said element p is described 

as f, argument terms are described as ti t n , and a term Ifp ljp corresponding to said element p is 

described as f(ti,...,t n ); 

(D) obtaining a sixth fourth equational tree automaton by performing repeatedly 
said (B) selecting and (C) determining processes regarding all elements p positioned at the ends 
of said tree-structure of said first group; and 

wherein said second r e peat e d repetition process comprises: 

(E) setting said sixth fourth equational tree automaton to initial data; 

(F) selecting an element q from a second group which consists of position 
information in a tree-structure when right sides of equations, each of said equations 



-13- 



AppI No. 
Filed 



10/521,671 
September 15, 2005 



corresponding to a rewriting rule in said set of rewriting rules, are described in tree-structure, 
wherein said element q is positioned at the end of said tree-structure; 

(G) determining a set of fourth terms by rewriting all terms which are included in 
a seventh fifth equational tree automaton obtained in a last process performed according to the 
rewriting rule f(d q 1 ti,...,d q n tn ) --> d q r | q , wherein a function symbol of said element q is described 
as f, argument terms are described as ti,...,t n , and a term %r[g. corresponding to said element q is 
described as f(ti,...,t n ); and 

(H) obtaining said second equational tree automaton by performing repeatedly 
said (F) selecting and (G) determining processes regarding all elements q positioned at the ends 
of said tree-structure of said second group. 

9. (Currently amended) A computer-readable recording medium containing a reactive 
system safety verification computer program according to claim 7, wherein said set of function 
symbols is a set comprising function symbols representing encryption, decryption and 
communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 
encrypted information is returned to plaintext by decryption, 

said sel e ct e d second terms to be verified is are confidential information, and 

said set of first terms is a set of knowledge of each of subjects that exchange confidential 
information, and a set of knowledge of a subject that monitors the information exchanged 
between said subjects. 

10-12. (Cancelled) 

13. (Currently amended) A safety verification device of a reactive system according to 
claim 2, wherein said set of function symbols is a set comprising function symbols representing 
encryption, decryption and communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 
encrypted information is returned to plaintext by decryption, 
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said s e lect e d second term to be verified is confidential information, and 

said set of first terms is a set of knowledge of each of subjects that exchange confidential 

information, and a set of knowledge of a subject that monitors the information exchanged 

between said subjects. 

14. (Currently amended) A safety verification method of a reactive system according to 
claim 5, wherein said set of function symbols is a set comprising function symbols representing 
encryption, decryption and communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 

encrypted information is returned to plaintext by decryption, 

said s e l e ct e d second term to be verified is confidential information, and 

said set of first terms is a set of knowledge of each of subjects that exchange confidential 

information, and a set of knowledge of a subject that monitors the information exchanged 

between said subjects. 

15. (Currently amended) A computer-readable recording medium containing a reactive 
system safety verification computer program according to claim 8, wherein said set of function 
symbols is a set comprising function symbols representing encryption, decryption and 
communication processing as elements, 

said set of rewriting rules is a set comprising as an element a rule representing that 

encrypted information is returned to plaintext by decryption, 

said selected second term to be verified is confidential information, and 

said set of first terms is a set of knowledge of each of subjects that exchange confidential 

information, and a set of knowledge of a subject that monitors the information exchanged 

between said subjects. 



16. (Cancelled) 



